rend-spec: Recommend a 490-byte INTRODUCE1 message.

Closes #222; see arti#1031

1 files changed, 11 insertions, 2 deletions

diff --git a/rend-spec-v3.txt b/rend-spec-v3.txt
index c2fe833..d836d23 100644
--- a/rend-spec-v3.txt
+++ b/rend-spec-v3.txt
@@ -1966,8 +1966,13 @@ Table of contents:
    extending to the rendezvous point. It must be of a type listed as
    supported in the hidden service descriptor.
 
-   When using a legacy introduction point, the INTRODUCE cells must be padded
-   to a certain length using the PAD field in the encrypted portion.
+   The PAD field should be filled with zeros; its size should be chosen
+   so that the INTRODUCE2 message occupies a fixed maximum size, in
+   order to hide the length of the encrypted data.  (This maximum size is
+   490, since we assume that a future Tor implementations will implement
+   proposal 340 and thus lower the number of bytes that can be contained
+   in a single relay message.)  Note also that current versions of Tor
+   only pad the INTRODUCE2 message up to 246 bytes.
 
    Upon receiving a well-formed INTRODUCE2 cell, the hidden service host
    will have:
@@ -2804,6 +2809,10 @@ Appendix G. Text vectors
           0000000000000000000000000000000000000000000000000000000000000000
           000000000000000000000000000000000000000000000000000000000000
 
+      (Note! This should in fact be padded to be longer; when these
+      test vectors were generated, the target INTRODUCE1 length in C
+      Tor was needlessly short.)
+
     The client now begins the hs-ntor handshake.  It generates
     a curve25519 keypair: